Penetration Testing mailing list archives
Re: Just getting started in pen-testing
From: Matt - MRS Security <matt () mrssecurity com>
Date: Mon, 10 Nov 2008 09:57:07 +0000
I believe and have stated before in the past that some sort of FAQ needs to be created which can be sent when joining this list and when questions of this type are made then the FAQ should be referred to.
By all means certain questions wont be able to answered with the FAQ but would be worth compiling with a few peoples help.
Erin? Thoughts? Matt. J. Oquendo wrote:
On Sat, 08 Nov 2008, m0rebel wrote:I just started a penetration testing company called Bandit Defense. My website is http://www.banditdefense.com and it has a lot of information on services that I offer.Take this as constructive criticism or whatever you'd like for that matter. For starters I didn't know if was looking at a retro throwback to the mid-late 90's and was expecting a blink tag to pop up and smack me across the screen. Your site has zero professional appeal to it and the only "scare" appeal it would have would be to pre2k AOL'ers who were getting IM punted. Horrible design. Secondly, your wording shows further lack of experience: /*I conduct internal penetration tests from your office and the surrounding building. I do detailed scans of all hosts on your network and try exploiting any vulnerabilities I find, then show you how to fix them*/ Do you have permission to be in the surrounding building for starters? If you came near me, I'm sure the people in Sycamore Networks would escort you out. Here is some productive advice - take the time to go out and understand it all. You seem to think a company is going to shiver in horror and demand your services (skulls, black, horror) when they discover they need a penetration test. This is and will never be the case for serious companies. The processes involved with performing penetration testing on a professional level go farther than: nmap -sS -O -P0 j0orDoMaInh3r3.com If I were you I would chuck the site so you don't put yourself in a position to be forever ridiculed as a sort of scriptkiddiot. After chucking the site, I would spend some time reading ISECOM's OSSTMM over and over. There is more to this industry than loading up X amount of tools running them and calling it a day. Personally if you came across any of the networks I have, you'd be sandboxed for kicks and giggles while my admins fed you false positives, forced you to find Irix exploits for Windows machines. Then... Since I typed it all up before, go read the following posts in their entirety: http://www.professionalsecuritytesters.net/article941.html http://techexams.net/forums/viewtopic.php?t=38694 http://techexams.net/forums/viewtopic.php?t=38485 http://techexams.net/forums/viewtopic.php?t=38547 http://techexams.net/forums/viewtopic.php?t=40222 For those on this list with experience, I would hope you would not promote the use of idiotic tools to people who don't know what to do with them. How about we educate people in an art, something respectable as opposed to this muck its coming to. When someone is requesting "what's the uber duper hax0r tool" how about pointing them to an RFC, to a book, to something more productive then what I've been seeing. I don't know about anyone else here, but every time I see these questions/comments, I feel the profession is degrading a-la old MCSE days of the 90's where everyone has it. This field is an art, its not really meant for everyone seriously. There is nothing wrong with wanting to learn trying to understand, but I believe too many times too many individuals, the garbage they throw out makes us all in the profession look bad. I don't know about anyone else, but personally I get tired having to explain to someone - after I mention my position - that no I won't "hack into a bank", "change their traffic tickets", etc.. This is the appearance being given: Stupid movie-like (Hackers, Swordfish, Die Hard, etc., etc.) where everyone is trying to jump in the car without learning how to drive. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Each player must accept the cards life deals him or her: but once they are in hand, he or she alone must decide how to play the cards in order to win the game." Voltaire http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Just getting started in pen-testing m0rebel (Nov 09)
- Re: Just getting started in pen-testing Adriel T. Desautels (Nov 09)
- Re: Just getting started in pen-testing J. Oquendo (Nov 09)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 10)
- Message not available
- Message not available
- Re: Just getting started in pen-testing J. Oquendo (Nov 10)
- Re: Just getting started in pen-testing Yiming Li (Nov 10)
- Re: Just getting started in pen-testing m0rebel (Nov 11)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 11)
- Re: Just getting started in pen-testing Adriel T. Desautels (Nov 11)
- Re: Just getting started in pen-testing Matt - MRS Security (Nov 10)